Nuclear plants are provided with safety protection instrumentation systems for preventing or suppressing failures that can degrade the safety of the plants, or that are expected to occur. A radiation measuring apparatus in the safety protection instrumentation system is intended to provide each operating circuit with information indicating conditions for isolating parts where the radiation dose has increased, or actuating emergency gas treatment apparatus in order to suppress radioactive material from leaking outside the plant if the radiation dose in the plant has increased for any reason.
In recent plants, a digital signal processing technology is applied to these radiation-measuring apparatuses in the safety protection instrumentation systems. In the digital signal processing, CPUs perform digital calculation involving a digital filter and/or multiple signals (for example, refer to Japanese Patent Application No. 2653522). In contrast, there are systems using ASIC/FPGA (Application Specific Integrated Circuit/Field Programmable Gate Array), which is hardware logic, without using the CPUs (for example, refer to U.S. Pat. No. 5,859,884). In such systems, instead of the CPUs, ASICs control the procedures to simplify the operations.
The safety protection instrumentation systems serving an important function are required to, for example, prevent function loss due to single failure by providing multiple or independent devices. In the digital systems using software, the function of the multiplexed devices can be lost due to software failure when the same software is used in the redundant systems. In addition, since the digital processing is discrete processing, the possibility of unexpected behaviors, such as abnormal outputs due to internal failure, in the digital systems is higher than that in analog devices if a series of specific conditions unfortunately occur.
Accordingly, it is necessary not only to perform a quality assurance activity for ensuring high quality throughout the design and manufacturing but also to eliminate failures due to common factors caused by software faults and to adopt appropriate protective means against modifications out of control in the digital processing using software. Particularly, a verification and validation activity (hereinafter referred to as “V&V”) is performed as one method of preventing failures due to common factors caused by software faults. The “V&V” is a quality assurance activity including verification of whether the functions required of the digital protection systems are correctly reflected from upper processes of software design and manufacturing to lower processes thereof and validation of full realization of the required functions in the systems manufactured through the verification.
In contrast, since systems using the ASICs or FPGAs, instead of CPUs, are built as hard-wired logic, the processing is determinant and, therefore, the processing time is determinable, unlike the processing by the CPUs. The systems using the FPGAs can be assumed to be semiconductor devices having the digital logic, so that it is possible to verify the systems by the use of methods of testing the semiconductor devices. Specifically, it is possible to fully verify stationary input-output characteristics other than failures due to timing if the outputs corresponding to all the inputs and all the internal states in the logic of the semiconductor devices can be compared with predicted values calculated from design specifications. This verification method is called exhaustive testing.
However, since combining the number of full input bits with the internal states of the device produces a large number of patterns in the actual ASIC device, it is difficult to compare all the output patterns corresponding to all the input and internal-state patterns with the predicted values. Accordingly, it becomes important to evaluate an input pattern sequence in which failures can be efficiently found. For example, the logic patterns in the device are evaluated to estimate input pattern groups in which the internal registers operate at least one time or “stack at fault” fault models, or the input patterns sequence, in which failures can be found are calculated by fault simulation.
However, since only some of the input patterns are tested in the above verification method, there are problems in that faults occurring due to the combination of the internal logic, or faults that are not estimated in the fault simulation cannot be detected.
In addition, in a process of implementing the logic in hardware, such as FPGA, it is necessary to prepare software in which the structure of the hardware is described and to prepare a general-purpose software tool, such as a synthesis tool for converting the software (HDL: Hardware Description Language) into the actual logic of the FPGA. Consequently, it is necessary to ensure a higher reliability even in the design phase in order to eliminate the faults in off-the-shelf software.
If the above-mentioned exhaustive testing can be used in performance verification of an instrumentation system, it is possible to indicate that there is no static logic error (no determinate logic error). However, if the above verification method cannot be carried out, it seems that the verification, such as the V&V, is required as in the known software.
The system using the FPGA performs determinant processing, unlike the processing by the CPU, and the processing time is generally determinable. In addition, the system using the FPGA is characterized by easily meeting the design conditions for building a highly reliable system because a single loop executes only one process.
As described above, in terms of the verification of the instrumentation system, implementing the safety system for a nuclear plant in hardware logic gives greater benefit. However, the challenge is to validate the instrumentation system in the verification level equivalent to exhaustive testing. Consequently, there is demand for a system allowing easy confirmation of whether the output characteristics corresponding to the inputs comply with the design specifications and for a verification method using the system.
In addition to the static logic error, described above, errors due to internal operation timing can occur. For example, if the delay time of the transmission in the internal logic is varied due to environmental conditions, including temperature, the system can operate improperly. In data exchange with an asynchronous unit, such as an external unit, determinant values might not be yielded depending on the acceptance timing of the data.
In order to prevent errors due to timing, it is necessary to design the system allowing for errors by timing simulation or the like, and to apply a general design technique, such as adoption of a synchronous design in which the values are less apt to be indeterminate, to the external interface.
In other words, it is important to adopt structures and test methods capable of preventing errors due to timing even in the safety systems using the FPGAs and there is a demand for development of systems having such structures and test methods.